File name: | DHL RECEIPT DOCUMENT,pdf.iso |
Full analysis: | https://app.any.run/tasks/9dbc7fd3-5b84-4a81-811a-b0da32c0d174 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | April 25, 2019, 08:01:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'DHL RECEIPT DOCUMENT,pdf' |
MD5: | 302CADA125991F10C48322D03B10A2D4 |
SHA1: | 486ECB4ACFFF15323AB928D6209B4987B2FDAAD6 |
SHA256: | 24FFE8565472C60E0C2665592B757BEB82E739042BEB920356D0706A9805F5BA |
SSDEEP: | 24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaD76wIvT6NSkL9Ilax6J5:2h+ZkldoPK8YaDuua |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
System: | Win32 |
---|---|
VolumeName: | DHL RECEIPT DOCUMENT,pdf |
VolumeBlockCount: | 715 |
VolumeBlockSize: | 2048 |
RootDirectoryCreateDate: | 2019:04:25 05:50:37+01:00 |
Software: | PowerISO |
VolumeCreateDate: | 2019:04:25 05:50:37.00+01:00 |
VolumeModifyDate: | 2019:04:25 05:50:37.00+01:00 |
VolumeSize: | 1430 kB |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2140 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\DHL RECEIPT DOCUMENT,pdf.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2792 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DHL RECEIPT DOCUMENT,pdf.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2708 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.32873\DHL RECEIPT DOCUMENT,pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.32873\DHL RECEIPT DOCUMENT,pdf.exe | WinRAR.exe | |
User: admin Company: AuthFWWizFwk Integrity Level: MEDIUM Description: cdp Exit code: 0 Version: 777.740.177.711 | ||||
3948 | "C:\Users\admin\Desktop\DHL RECEIPT DOCUMENT,pdf.exe" | C:\Users\admin\Desktop\DHL RECEIPT DOCUMENT,pdf.exe | explorer.exe | |
User: admin Company: AuthFWWizFwk Integrity Level: MEDIUM Description: cdp Exit code: 0 Version: 777.740.177.711 | ||||
2800 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | DHL RECEIPT DOCUMENT,pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
1224 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | DHL RECEIPT DOCUMENT,pdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2792.33618\DHL RECEIPT DOCUMENT,pdf.exe | — | |
MD5:— | SHA256:— | |||
2708 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.url | text | |
MD5:F02A2C244D873AE6E33F473975DC6691 | SHA256:53451F6D25F1C7C520A96E2FEE5E22B76ACB0C34310BDF60893827AEFD7A9F7D | |||
2800 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:7C7B77A0D25126FCC468852A9194697C | SHA256:1409A728038D1F7CF496863AA7D76D89C3BCD6299347BFEE82C27192B169F7F7 | |||
2708 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\aepic\services.vbs | text | |
MD5:2B605F29C7C86E22BCEFEF3B4EC7AACC | SHA256:50AD2EAFAA4D5C52D7F0C0AF6A74E181A9E1733B839EDCC97CAADD1755BFD4AF | |||
2708 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\aepic\SpeechRuntime.exe | executable | |
MD5:1F7680DAA6B138F201114ACAEF6D0516 | SHA256:B2DA6265D3BB2BF753FCD8A669367F61CFBCD08ACC108A4F9AEB077C21906E3D | |||
3948 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\aepic\services.vbs | text | |
MD5:2B605F29C7C86E22BCEFEF3B4EC7AACC | SHA256:50AD2EAFAA4D5C52D7F0C0AF6A74E181A9E1733B839EDCC97CAADD1755BFD4AF | |||
3948 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.url | text | |
MD5:F02A2C244D873AE6E33F473975DC6691 | SHA256:53451F6D25F1C7C520A96E2FEE5E22B76ACB0C34310BDF60893827AEFD7A9F7D | |||
2792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.32873\DHL RECEIPT DOCUMENT,pdf.exe | executable | |
MD5:294CED1DCF92337B81AD416DD8B18B8A | SHA256:66C6841080C90951F84E26034C844D810066F4FD17C52F00D8265CA19DDD041E | |||
3948 | DHL RECEIPT DOCUMENT,pdf.exe | C:\Users\admin\AppData\Roaming\aepic\SpeechRuntime.exe | executable | |
MD5:E44C923F7135F6EEABED8D1BB070EF4E | SHA256:032C995E03A662EB3253DC66A607AB201F7289ED2DE2D0A2610308964B87A839 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2800 | RegAsm.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2800 | RegAsm.exe | 178.239.21.9:6783 | futuremoney.ddns.net | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | unknown |
Domain | IP | Reputation |
---|---|---|
futuremoney.ddns.net |
| malicious |